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Security modules fo; conditional access mth arestdctions 



INTRODUCTION TO THE INVENTION 

In zsGes& ye&sSi the amoimt of cosit^t protection systems is growing in a rapid 
pace. Some of tliese systems only protect the content against illegal copying, while others are 
also prohibiting ^ tiser to get access to the cont^ The &st category is called Copy 
5 ProtcQtion (CP) syst^ns. CP systems have traditionally been ^e main &caB for consumer 
electronics (CE) device^, as tins type of content protection is thought to be cheaply 
implemented and dees not need bi-d&ectional interaction wi& the cos&tent provide. Some 
es^ples as:e the Content Scrambling System (CSS), the protection system of DVD ROM 
discs and DTCPs ^ protection system for lEEB 1S94 connections. 

10 The sec^&d category is known under several names. In tiie broadcast world, 

systems of this category are generally known as conditioMl access (GA) systems, while in 
&e Internet world they are g^erally loiown as Digital Bights Management (DRM) systems. 

Some type of CP sj^ems can also provide services to intsr&cing OA or DEM 
systems. £%amples are &e systems currently laader development by the DVB-CPT subgroup 

15 €sid the TV-Aaytime RMP group. The goal is a system in which a set of devices can - 

authenticate each o^ *d:irough a bi-directional connection. Based on this auibenticaliQa, the 
devices will trust each o&er and this will ^oable/allow tbsm to eiKChange protected content. 
The accompanying licenses describe v4iich rights &e user has and vAist operations he is 
allowed to p^o^m on the contwt The license is protected by means of some gen^ 

20 network secretp which is only eKChanged between ^ devices within a certain household. 
This network of devices is called Auidiorized Domain (AD). 

In some of the cu^sent proposals for authorized domains, the number of 
devices is the main limitation of the size of the authorized domain. The proposals (like the 
SroaxtRighi'system developed by Thomson Multimedia) have a fixed maximum of the 

25 number of devices that might be past of the authorized domain. The main reason for limiting 
the size of the domain is to prevent domains from spreading unbounded over the Internet, 
where people open their authorized domain for complete strangers at the other end of the 
world. By limiting the size of the authorized domain, people have tibue incentive to allow only 
their own devices to be part of the domain. 
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This fixed maidmnm on the ntonber of devices in the authorized doscisdn has a 
manber ^disadvantages. One disad^tage is Hxe fact tiiat when a device bzeaks down or 
gets stolen, it is difficult to secover ib» rights associated with this device in the authorized 
domain, because the admission of devices to the doouun may aot be centially controlled and 
5 it is also not archived ^(^paxticula; devices aie past oftfae domain at ai^ time. 

A fasOns disadvantage of ihs fbEed mftximmn is the fiwt that it is vesy difficult 
to detemiine befordiand what a zeafMmable value of the maximum is. Especially v/hen in the 
ftstuse mofe netwotked devices aze hooked up to the home networic, die ^ue^ 
seasonable today may be fer too low in the fisture. However, it as vejy complex to implement 
1 0 such a &eed in a way ^t allows easy ^grading of ihe maximum in the fimne. 

SUMMARY OF THE INVENTION 

it is m object of the present invention to provide a system in which the size of 
a pasrdculas domain can be sestricted, whilst overcoming tiie disadvania^ associated wiUi a 
15 fixed ynflarim-q m (m the number of the devices in the particular domain. 

This object is achieved according to the ptes&nA invention in a system in wMch 
the munb^ of amuhasieously active sessions is used as a measure or indication of tiie 
domain This number could b^ for example, the number of content items accessed at the 
same timc^ or the number of aetiva^ rendering devices. 
20 M one embodiment, devices need to xegister themselves at the ainfa^ 

domain in tiie normal way> hut the total number of devices that can register is unlimited. On 
' top of this segjstratiim, a device needs to open a session to a security module, such as a 
smartcaid. The total limitation of the network size is in this embodiment accomplished by 
limiting tiie number of security modules in cooperation witii limiting the number of sessions 

25 that a security module supports. As will become apparent below, many alternative 
embodiments, are possible within the scope of the invention. 

One could &>t sample use as security module a.smart card that supports only 
one session (ie. with iShe device tiiat holds the smart car^ and the total number of smart 
cards permitted to be used in the domain at one time is limited to a certain maximum. 

30 Important in tiusimplranentation is to prevent "session-hopping*'. 'SksIou- 

hopping* is a possible mechaiiism to share sessions over the Internet. People who have spare 
(unused) sessions in their own domain, mi^ want to share those sessions over tiie Interne^ 
thereby escajnng ftom the basic requirement set on authorized domains, i.e. limiting the 
distribution of content over the hxtemet This issue can be addressed by instiling 
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medbamsms as allowmg a device to be registered at oaly one aixthoiized domaiffi and 
kistaUing time delays lijmt c&angmg the regisbratiosK to for Instaace once p& day. This 
eo\sM be replaced with o; oombix&ed with leqiiiring m active acdon of &e domain holder, 
possibly a physical action oa one of the domain devices. 

5 

BmEF DESCRSraON OF THE FIGURES 

These and other aspects of ^ inv^on win be appairent fiom and elutidated 
WX& reference to the illustrative embodiments shown in the drawings, in \^ch: 

Mg. 1 sd^raoadcally shows a system comprising devices interconnected via a 

10 netwo^; 

Fig. 2 sch^Qoatlcs^y shows the schematic division of the system 100 of Fig. ! 
into aCAdomaingndaCF domain; @nd 

Fig. 3 schematiGaUy shows a prefesred embodiment of a security module, in . 
the form of a smart eazds for nse in ^e syst^ of Fig, I. 
1 5 Throi2^ou£ the figisresp same reference mimerals indicate similar or 

conresponding feamres* Seme of the features Mdicated in the drawings are typically 
implemented in software, md as such z&ptesesA software entities, such as software modules 
or objects. 

20 SYSTEM ARCHITECTURE ^ " " 

Fig. 1 schematically shows a system 100 composing devices 101»10S 
interconnected via a network 110. In this embodim^ tibe system 100 is an in-home 
network. A typical digital home network includes a number of devices, e.g. a ra^o receiver, a 
tunex/decoder, a CD player, a pair of speakers, a television, a VCR, a tape deck, and so on, 

25 TbissG devices are usually intm^nnected to allow one device, e,g. &e television, to control 
another, e.g, the VCR. One device, such as e.g. the tuner/decoder or a set top box (STB), is 
usually the central device, providing central control over the others. 

Content, v^ch ^ically composes tidngs like music, songs, movies, TV 
programs, pictures, books and the likes, but which also includes interactive services, is 

30 received through a residential gateway or set top box 101 . The source could be a connection 
to a broadband cable network, an Internet connection, a satellite downlink and so on. The 
content can then be transferred over the network 1 10 lo a sink for rendering. A sink can be, 
for instance, the television display 102, the portable display device 103, the mobile phone 
104 and/or the audio pl^badc device 105. 
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The exact way in wMch. a contrat item is sundered depends on. the type of 
device and the tjrpe of content For instance, in a radio receiver, rendering comprises 
generating audio signals and feeding them to loudspeak^. For a television receiver^ 
rendering generally con^rise? iterating audio and video signal? and feeding those to a 
S display screen and loudspeakers. For other ^es of content a similar appropriate actloh must 
be taken. Rendering may also include operadoxis such as decnypting or descramblmg a 
received signal, synchromsdng audio ^d video signals and so on. 

The set top box 101, or any otfa^ device m ihe system 100, may comprise a 
storage medium § 1 such as a suitably large hard disk, allowing the recording and later 

10 playback of received content The storage medium S 1 could be a Personal Digital Recorder 
P^DR) of some kind, for example a DVD+RW recorder, to wWdi the set top bo3& 101 is 
connected. Content can also be enter &e system 100 stored on a earner 120 such as a 
Compact Disc (CD) or Digital Versatile Disc (DVD), 

The postable display device 103 and the mobile phone 104 are comiected 

IS vtfkelessly to the network 1 10 using a base stadon 111, for e?sample nsisag Bluetooth or KEEB . 
802.1 lb. The officer devices are connected using a convendosial wired connection. To 
allow devices 101-lOS to interact, several int^perabilsQr standards are available, which 
allow difEbrant devices to exchange messajges and in&mi&tioA and to control each other. One 
well»known standard is the Home AudioMdeo JEnteroperabiUQr QUAYS) standard, version 1,0 

20 of which was published in JanusEy 2000, and which is available on the Internet at the address 
http://wwwJiavi.org/. Oth^ well-known standffids are the domestic digital bus (PZB) 
standards a commimicafions protocol described in lEC 1030 and Universal Plug and Play 
(htfcp;//www.upnp.org). 

It is often important to ensure that the devices 101«-1 OS in &e home network 

25 do not make unaixflioriz^ copies of the content To do fliis, a security ftmnework, typically 
refesed to as a Distal Rights Management (DRM) system is necessary. 

In one such ^amework, the home network is divided conceptuially in a 
conditional access (CA) domain and a copy protection (CP) domain. Typically, the sii^ is 
located in the d? domain. This ensures tiiat when content is provided to the sinkj» no 

30 unauthorized copies of the content c^ be made because of the copy protection scheme in 
place in the CP domain. Devices ia ihe CP domain may comprise a storage medium to make 
tmaporaiy copies, but such copies may not be exported &om the CP domain. Tliis fiamework 
is described in European patent application 01204668,6 (attorney docket PHNL010880) by 
the same applicant as &e present application. 
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Regardless of the specific ^p?oach chosen, aU devices in the m-home oetwoifc 

that implement the security fiamewoxk do so in accosdaace with fee implementedon 

sequiremente. Usiag ms firamework. theise devices can authenSioate each other and distdbnte 

content securely. Access to the content is managed by the security system. This prevents ^ 

5 improtjectedconjmt&omlealdag to unauthorized devices and data origin 
devices fiom enterizig the system. 

Hg. 2 sdiematioally shows the schematic division of the system 100 of Fig, 1 
into a CA domain and a CP domam. la Fig. 2, the system 100 comprises a sousce, asink, and 
two storage media SI and S2. Most coatent enters the ia-home network In the CA domain 
10 through the set^op box 101 (the sousce). Typically, the shiks, ton instance the television 
system 102 and &e audio playback device 105, are located in CP domain. TMs ensures 
that vufaen content is provided to the sink, no unauthorized copies of the content can be made 
because of the copy protection scheme ia place in the CP domain. 

A CA=5>CP gateway is provided between the CA and the CP domains. TMs 
1 5 gateway is responsible fcr letting content Kiter the CP domain. This process may Enquire 
transcoding and/or (re-)encrypti!ig the content^ translating digital rights associated with the 
content to a&rmat supported in the CP domain, and so on. 

The CP domain comprises a storage mediiaa S2, on which (temporaiy) copies 
of the content can be stored ia accordance wirhthe copy protection rules. These copies caa be 
20 used for tane-shifiBd playback of the content, but these copies may not be exported ten the 
CP domain. 

A device becomes part c^the CP domain by connecting it to another device 
abeady in &e CP domain, os by conncctiiag it to the bus connectfaig ^se devices. Once a 

device has been added, it must remain in that parlicdar CP domain for a certain period of 
25 tim^&rraan^oneday. 



SECURITY MODULES 

Fig. 3 schematically shows a prefejxed embodiment of a securi^ module, 
shown here in the form of a smart card 300. To protect content against unauthorized copying, 
30 instances of content are provided to the system 100 in encrypted fbrm. Before it can be 
rendered it needs to be decrypted, using a control word. Handling control words and/or 
decrypting instances of content is the responsibility of the security module. The security 
module should therefore be well protected agahist tampering. 
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Of coiucse thece are masiy ways to implement security modides. A common 
SQome sotution is to embody Ihe security module in the fomi of a smart card. The security 
module could also be provided as an integrated component of one of the devices lOl-iOSs or 
as aL sepamte device. The Security module can be embodied in hardware^ software or a 

5 combination tib^rcof. 

The smart card 300 comprises a conditional access module 310 and a secure 
storage module 311. Smart cards are much more difficult to compromise than ordinary 
computers or software smd so oi^er a better vmy of protecting the conditional aspects of a 
conditioml access service. One or more of the devices 101-105 is Hxm equipped with a smiart 

1 0 card reader^ m which the us^ can insert the smart card 300, 

The control word necessary to decrypt the content can be stored in the secure 
storage module 301 on the smart card 300, This way, it is very difiScult for the user to ob^ 
the control word, and so it is very difSoult for him to access flie content without paying fbr it 
The sm^ card 300 may comprise a decryption module 312, which decrypts an instance of 

IS the content using the control word and supplies the decrypted instance to a r^dezing device 
such as television 102. 

Alternatively, the smart card 300 can supply the control word to another 
device v^Aiich ^en decrypts the instance. In this ^ 
has been tampered wi& in su(^ a way that it wiU not shxqily decry^^ 

20 store &e control wdird or 'std¥e th£ uiiencrypted cdnteot wi^otst auOmrizadon to do in 
order to prev^t such a modified device ftom accessh&g the control word» fbQ smart card 300 
may enq^loy an au&endcation mechanism in order to verify vt^ether the device has hem 
tampered with. 

This au&enliGatlon mechanism i s for mstance realized by having the smart 
25 card issue an encrypted ^chalienge' to the device, which the device must decrypt and send 
back to flie smart card 300. If the device cannot correctly decrypt the challeagej» it is not a 
compliant device and may not get access to the control word, Altraaadvely, the smart card 
300 can check the integrity of some part of the program code to be executed by the device, 
for example by verifyhig a dig^ signature. 
30 The control word may be provided in an Entitlement Control Message OSCM) 

that is sent to the system 1 00 by the service provider providing the encrypted service. It could 
also be stored permanently in the smart card 300. This EGM is &en provided to the smart 
card 300 and thereby to the conditional access module 310, which obtains &e control word 
from the ECMt TThe con&ol word will often bepresent inanencxypted ftmninthe ECM, and 
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so tfae ccmditioQal access modide 310 will need to decrypt the eoxusoi woid The 
deerjrption key necessary to decrypt the control wasd om thra be stored in the seeisre storage 
modMeSll. 

In acooxdance vdlh &e presexit invenlioit, the smart card 300 is also provided 
5 with a session management module 313. The tem "session" refers to the h^dling of a 
spedSo ins^ce of a content item^ in pa^cidar deoicypting the instance and si^pplying the 
dee^ted instance to the rendering device. Handling may be restdctsd to a portion of the 
instance (e.g. the audio d^asaneis of the video stream of a movie), or cover the instance as a 
iviiole (audio, video» Teletext information^ and so on). Another definition of a ^'session" 
10 ' coidd be the niimbeFofaotive devices, or the number of active ^dispte^ 

monitor, audio amplifierp ...)- The smart card 300 is a cratral entity in li&is process. 

' It may be tfafl£ two rendering devices are simid^ 
television program, or that one rend^ing device is playing back a piece of music ^d a 
storage device is making a copy of the same piece of music at the same time. In both oases 
IS the system lOQ is h^dling two simultaneous sessions, even if both devices are operating on 
the same steeam of data. 

SESSION RESTRICTION 

The session management module 3 1 3 is operable to restrict the numb^ of 

20 simultaneous sessions that the smart card 300 is peranitted to handle. This way, the owner of 
&e system 100 can connect an unlimited number of devices to the syst^ 100, but he will not 
be able to view or listen to many instances of content at the same time. If the ^tire system 
100 is located witiim one household, ^ is. not a problem, assuming a reasonable upper limit 
on the number of simultaneous sessions is chosea 

2S If ti&e devices in &e system 100 are distributed over various houses in a 

particular district, the same i^er limit seriously ses&icts the use of the devices. For OKample, 
if the upper limit is set to twelve simultaneous sessions, all members of an average household 
^^^fiD P f aVs s z e i t^2'6 .'Ap ^1 4": 1 3* ^^^^^ television programs, listen to the radio and at the 
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